Upload
nkemot
View
22
Download
3
Tags:
Embed Size (px)
DESCRIPTION
Cisco Live
Citation preview
1
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Branch Office Wireless LAN Design BRKEWN-2016
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Abstract
This session focuses on the architecture concepts of the branch office
WLAN deployments, emphasising the core technologies that drive and
enable mobility in retail, banking, education, entreprise or managed
wlan services. Topics covered include in-depth protocol description of
H-Reap/FlexConnect, all deployment options in practice, and are
based on customer case studies for their application into the branch
environment.
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Objectives
4
Design & Deploy Branch Network That Increases
Business Resiliency
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Agenda
Learn Cisco Unified Wireless LAN Principles (Reminder)
Understand Wireless Branch Deployment Options
Evaluate FlexConnect Architectural Requirements
Identify the need for FlexConnect & AP Groups
Design a Resilient Branch Network
Design Secure & BYOD enabled Branch Network
How to operate Wireless Branch efficiently over WAN
5
Cisco Unified Wireless LAN
Principles
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Cisco Unified Wireless Principles
Components
• Wireless LAN controllers
• Aironet access points
• Management System (Prime Infrastructure)
• Mobility Service Engine (MSE)
Principles
• AP must have CAPWAP connectivity with
WLC
• Configuration
downloaded to AP by WLC
• All Wi-Fi traffic is
forwarded to the WLC
Wireless LAN Controllers
Aironet Access Point
WCS
MSE
Campus Network
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
CAPWAP is a standard, interoperable protocol that enables an Access
Controller (AC) to manage a collection of Wireless Termination Points
(WTPs)
CAPWAP carries control and data traffic between the two
‒ Control plane is DTLS encrypted
‒ Data plane is DTLS encrypted (optional)
CAPWAP supports only Layer 3 mode deployments
CAPWAP
CAPWAP Overview Control and Provisioning of Wireless Access Point
Controller
Wi-Fi Client
Business Application
Control Plane
Data Plane Access Point
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
CAPWAP Modes Split MAC
The CAPWAP protocol supports two modes of operation
‒ Split MAC (Centralised Mode)
‒ Local MAC (H-REAP/FlexConnect)
Split MAC
WTP AC STA
Wireless Phy MAC Sublayer
CAPWAP Data Plane
Wireless Frame
802.3 Frame
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
CAPWAP Modes Local MAC
Local MAC mode of operation allows for the data frames to be either
locally bridged or tunneled as 802.3 frames
Locally bridged
WTP AC
Wireless Phy MAC Sublayer
Wireless Frame
802.3 Frame
STA
FlexConnect supports locally bridged MAC and split MAC per
SSID
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
CAPWAP Modes Local MAC
Local MAC mode of operation allows for the data frames to be either
locally bridged or tunneled as 802.3 frames
Tunneled as 802.3 frames
Wireless Phy MAC Sublayer
Wireless Frame 802.3 Frame
802.3 Frame
CAPWAP Data Plane
Tunneled local MAC is not supported by Cisco
WTP AC STA
Wireless Branch Deployment
Options
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Branch Office with Local WLAN Controller Overview
Branches can also have local
remote controllers
Small form factor WLC are
available to for small campus:
WLC-25xx, integrated
controller modules in ISR/ISR-
G2, or Catalyst 3850 Switch
High-availability design with
central backup controller is
supported; WAN limitations
may apply
Remote Site B Remote Site A
WLC-25xx WLCM for ISR/ISR-G2
Backup Central Controller
WAN
Central Site
13
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Branch Office with Local WLAN Controller Advantages
Cookie cutter configuration for every branch site
Layer-3 roaming within the branch
Reliable Multicast (filtering)
IPv6 L3 Mobility
AAA-ACL & QoS Override
Note: If you have ISR/ISR G2 at branch site then it is recommended to use the
IOS Firewall at edge for unified access policies.
14
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Branch Office Deployment FlexConnect (HREAP)
Hybrid architecture
Single management and control
point
Data Traffic Switching
Centralised traffic
(split MAC)
or
Local traffic (local MAC)
HA will preserve local traffic only
Traffic Switching is configured
per AP and per WLAN (SSID)
WAN
Central Site
Remote Office
Centralised Traffic
Centralised Traffic
Local Traffic
Cluster of WLC
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
FlexConnect Glossary
Connected Mode – When FlexConnect can reach Controller
(connected state), it gets help from controller to complete client
authentication.
Standalone mode – When controller is not reachable by
FlexConnect, it goes into standalone state and does client
authentication by itself.
Local Switching – Data traffic switched onto local VLANs for an SSID
Central Switching – Data traffic tunneled back to WLC for an SSID
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Configure FlexConnect Mode Step 1: Configure Access Point Mode
Enable FlexConnect mode per AP
Supported AP: AP-1130, AP-1240, AP-1040, AP-1140, AP-1260, AP-
1250, AP-3500, AP-1600, AP-2600, AP-3600
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Configure FlexConnect Local Switching Step 2: Enable Local Switching per WLAN
Only WLAN with “FlexConnect Local Switching” enabled will allow
local switching on the FlexConnect AP
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Configure FlexConnect VLAN Mapping Step 3: FlexConnect Specific Configuration
FlexConnect AP can be connected on an access port or connected to
a 802.1Q trunk port (using the native VLAN)
VLAN Support provides the ability to configure remote VLAN to WLAN
mappings. VLAN mapping can be performed per AP configuration on
WLC and/or by AP groups using Prime Infrastructure templates
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Configure FlexConnect VLAN Mapping Step 4: FlexConnect Specific Configuration – Native Vlan
When connecting with Native VLAN on AP, L2 switchport must also
match with corresponding Native VLAN configuration
Each corresponding SSID that is allowed to be locally switch should
be allowed on the corresponding switchport.
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Configure FlexConnect VLAN Mapping Step 5: Per AP SSID to VLAN Mapping
Mapping of SSID to 802.1Q VLAN is done per
FlexConnect AP
Or the use of NCS via configuration
templates
1 2
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Configure FlexConnect VLAN Mapping Step 6: Using NCS
Prime Infrastructure provides simplified configuration to all
FlexConnect APs with one Lightweight AP Template
Evaluate FlexConnect Architectural
Requirements
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
FlexConnect Design Considerations WAN Limitations Apply
For Your Reference
Deployment
Type
WAN
Bandwidth
(Min)
WAN RTT
Latency (Max)
Max APs per
Branch
Max Clients per
Branch
Data 128 kbps 300 ms 5 25
Data+Voice 128 kbps 100 ms 5 25
Data 128 kbps 1 sec 1 1
Monitor 128 kbps 2 sec 5 N/A
Data 1.44 Mbps 1 sec 50 1000
Data+Voice 1.44 Mbps 100 ms 50 1000
Monitor 1.44 Mbps 2 sec 50 1000
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
FlexConnect Design Considerations
Some features are not available in standalone mode or in local
switching mode
‒ MAC/Web Auth in Standalone Mode
‒ Mesh AP
‒ VideoStream
‒ IPv6 L3 Mobility
‒ SXP TrustSec
‒ AAA ACL & QoS override
‒ See full list in Flexconnect Feature Matrix
http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b
3690b.shtml
Feature Limitations Apply
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Economies of Scale For Lean Branches
Flex 7500 Wireless Controller
Access Points 300-6,000
Clients 64,000
Branches 6000
Access Points / Branch 100
Deployment Model FlexConnect
Form Factor 1 RU
IO Interface 2 x 10GE
Upgrade Licenses 100, 200, 500, 1K
Key Differentiation
WAN Tolerance
• High Latency Networks
• WAN Survivability
Security
802.1x based port authentication
Voice support
• Voice CAC
• OKC/CCKM
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Flex 7500 Scale & Feature Update - 7.0.116.0 to 7.4
Scalability 7.0.116.0 7.2 7.4
Total APs 2000 3000 6000
Total Clients 20,000 30,000 64,000
Total FlexConnect Group 500 1000 2000
Support for OEAPs No Yes Yes
Central Switching BW Limit ~250 Mb ~1 Gb ~1 Gb
Data DTLS Support No Yes Yes
Central Switching 802.1x No Yes Yes
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
FlexConnect Improvements in Release 7.3 & 7.4
AAA-VLAN over ride in Local Switching
ACL support in Local Switching
P2P Blocking support in Local Switching
Smart AP Image Upgrade
External Web-Auth support for Guest Deployments in Local Switching
Mobile Device On-boarding support in Local Switching
WGB/uWGB Support for Local Switching WLANs
VLAN Based Central Switching
Split Tunnelling
Why do we need FlexConnect &
AP Groups?
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Understanding AP Groups
AP Groups is a logical concept of
grouping AP’s which deliver similar
Wi-Fi services; these services can
be:
‒ By physical location, and/or
‒ By functional services
(data, voice, guest, …)
Same AP groups need to be defined
in all WLC’s of a mobility group
Overview
Remote Site A Remote Site B
Central Site
WAN
AP Group 1
AP Group 2 AP Group 3
Flex 7500
Scaling Flex 7500 CT-5508 WiSM-2 CT-2504
# AP Groups 2000 512 512 30
# WLAN (SSID) 512 512 512 16
# VLAN
(Interfaces) 512 512 512 16
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Understanding AP Groups Rules to Know
Rules
• An AP can be in only one AP Group
• One WLAN (SSID) can be in several AP Groups
• WLAN with ID 1-16 can not be removed from the ‘default-group’
• WLAN with ID greater than 16 will never be part of the ‘default-group’
• All AP with no AP Group name or an unknown AP Group name will be part of the
‘default-group’
Well known mistakes
• Create no AP group, but create a WLAN with ID 17+.
• Having AP groups defined, Create WLAN with ID 17+ but never map the WLAN to any
AP Group.
31
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
AP Groups Configuration: Create a New Group
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
AP Groups Configuration: Add AP or APs to Group
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
WAN/MAN
AP Groups Usage
AP groups give the ability
to enable Wi-Fi Services
(WLAN) based on physical
location
Example
‒ Central Site
Corporate-Voice,
Corporate-Data,
Guest-Access
‒ Manufacturing Plant
Corporate-Voice,
Corporate-Data,
Scanners
‒ Store
Corporate-Data,
Guest-Access
Per Location SSID
Central Site
Store Manufacturing Plan
AP Group 2
AP Group 3
AP Group 1
Corporate-Voice
Guest-Access
Corporate-Data
Guest-Access
Corporate-Data
@ Internet
Scanners
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
AP Groups Usage Per AP Group SSID to VLAN Mapping
AP groups give the ability to
statically map Wi-Fi service
(WLAN) to VLAN based on
physical location
Users see the same
Wi-Fi service on all sites
and IP can be used for
monitoring or filtering
Can also be used to have
smaller Wi-Fi subnets
For example per floor subnets
in a building.
Corporate-Data
Corporate-Data Corporate-Data
VLAN-1
VLAN-2
VLAN-3
Manufacturing Plant Store
Central Site
WAN/MAN
AP Group 1
AP Group 2 AP Group 3
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
AP Groups Configuration/VLAN Mapping
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Understanding FlexConnect Groups Overview
FlexConnect groups allow sharing of:
CCKM/OKC fast roaming keys
Local/backup RADIUS servers IP/keys
Local user authentication
Local EAP authentication
AAA-Override for Local Switching
Smart Image Upgrade
Scaling information
FlexConnect Group 1
Remote Site Remote Site
WAN
Central Site
FlexConnect Group 2
Flex 7500 Cluster
Scaling Flex
7500 CT-5508 WiSM2 CT-2504
FlexConnect
Groups 2000 100 100 20
AP per Group 100 25 25 25
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
FlexConnect Groups and CCKM/OKC Keys
CCKM/OKC keys are stored on FlexConnect
APs for Layer 2 fast roaming
The FlexConnect APs will receive the
CCKM/OKC keys from the WLC
If a FlexConnect AP boots up
in standalone
mode, it will not get the
OKC/CCKM keys from
the WLC so fast roaming
will not be supported
WAN
Central Site
Remote Site FlexConnect
Group 1 FlexConnect Group 2
Remote Site
RADIUS Server
CCKM Keys
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Step 1: Add a New FlexConnect Group
Step 2: Add APs to the FlexConnect Group
FlexConnect Groups Creation
1
2
Design Wireless Branch
Designing a Resilient Network
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
FlexConnect Backup Scenario WAN Failure
FlexConnect will backup on local
switched mode
‒ No impact for locally switched SSIDs
‒ Disconnection of centrally switched SSIDs clients
Static authentication keys are locally stored in
FlexConnect AP
Lost features
‒ RRM, WIDS, location, other AP modes
‒ Web authentication, NAC
Remote Site
WAN
Central Site
Application Server
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
FlexConnect Backup Scenario - WLC Failure FlexConnect will first backup on local
switched mode
‒ No impact for locally switched SSIDs
‒ Disconnection of centrally switched
SSIDs clients
CCKM roaming allowed in
FlexConnect group
FlexConnect AP will then search
for backup WLC; when backup WLC is
found, FlexConnect AP will resync with
WLC and
resume client sessions with central traffic.
Client sessions with Local Traffic are not
impacted during resync with Backup WLC.
Remote Site
WAN
Central Site
Application Server
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
FlexConnect Group: Local Backup RADIUS Backup Scenario
Normal authentication is done
centrally
On WAN failure, AP authenticates
new clients with locally defined
RADIUS server
Existing connected clients stay
connected
Clients can roam with
‒ CCKM fast roaming, or
‒ Reauthentication
Remote Site
WAN
Central Site
FlexConnect Group 1
Central RADIUS
Local Backup RADIUS
CCKM Fast Roaming
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
H-REAP Group: Local Backup RADIUS Configuration
Define primary and secondary local backup RADIUS server per H-
REAP group
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Local Authentication
By default FlexConnect AP
authenticates clients through
central controller
Local Authentication allow use
of local RADIUS server directly
from the FlexConnect AP
Remote Site
WAN
Central Site
FlexConnect Group 1
Central RADIUS
Local RADIUS
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Local Authentication Configuration
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
FlexConnect Group: Local Backup Authentication Backup Scenario
Normal authentication is done
centrally
On WAN failure, AP
authenticates new clients with its
local database
Each FlexConnect AP has a copy
of the local user DB
Existing authenticated clients
stay connected
Clients can roam with:
CCKM fast roaming, or
Local re-authentication
Only LEAP and EAP-FAST Supported !
Remote Site
WAN
Central Site
Central RADIUS
CCKM Fast Roaming
FlexConnect Group 1
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
FlexConnect Group: Local Backup Authentication Configuration
Define users (max 100) and passwords
Define EAP parameters (LEAP or EAP-FAST)
1 2
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
FlexConnect Backup Scenario WAN Down Behaviour (Bootup Standalone Mode)
Central Switched WLANs will shutdown
Web-auth WLANs will shutdown
Local Switched WLANs will be up :
‒ Only Open, Shared and WPA-PSK are allowed.
‒ Local 802.1x allowed with local authentication or local RADIUS
Unsupported features
‒ RRM, CCKM, WIDS, Location, Other AP Mode, NAC.
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Not Supported Backup Scenario AP Changing Mode on Failure
AP can not automatically change
from local mode to FlexConnect
mode on local WLC failure
Changing mode is a configuration task of
the AP
Why it does not make sense
Need for dual configuration at the switch
level (access port for central, 802.1Q for
FlexConnect)
Lost controller features when going to
FlexConnect
If you accept FlexConnect locally,
then don’t implement local WLC
!
Remote Site
Central Site
WAN
Application Server
Not Supported Backup Scenario !
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
FlexConnect AP can not be configured with
two SSID with same name; one in central
switching mode, one in local switching mode;
when central switching is down, local switched
SSID becomes active
Changing enable status of an SSID is a configuration
task of the WLC level
Cisco recommends using Local Switching.
Why?
Fault Tolerance will always keep client
connection UP.
Not Supported Backup Scenario Auto-Enabling Backup Local Switching
Remote Site
Central Site
Backup Application Server
SSID “Data” (Central Switching)
SSID “Data” (Local Switching)
H-REAP AP
Disable Enable
Primary Application Server
Not Supported Backup Scenario !
!
WAN
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Failover Matrix
Feature WAN Up
(Connected)
WAN Down
(Standalone)
Static Security Keys
(WEP, WPA2/PSK) Yes Yes
802.1x/EAP Yes Yes
RADIUS Yes Yes
(local RADIUS Backup)
Local Authentication Yes Yes
OKC Fast Roaming Yes Yes
(not new clients)
WebAuth & MAC Auth Yes No
For Your Reference
Designing Secure & BYOD
Enabled Branch Network
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Understanding Local Switched Access Lists
Support for ACL in FlexConnect local
switching mode
ACL mapped to local VLAN per AP or
FlexConnect Group
512 FlexConnect ACL per WLC
16 ingress ACL & 16 egress ACL per
AP
64 rules per ACL
No IPv6 ACL
Description
Remote Site
WAN
Central Site
Application Server
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Local Switching Access Lists
ACL rule creation and application for FlexConnect is identical to WLC
rule creation for Local Mode
Example: P2P Blocking for 192.168.3.0 network.
Configuration
Step 2
Step 1
Click to add ACL rules Step 3
Provision to assign separate Inbound & Outbound ACLs
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Local Switching Peer-to-peer Blocking
Support for Peer-to-Peer blocking
in FlexConnect AP
Apply for clients on same
FlexConnect AP
P2P blocking modes : disable or
drop
For P2P blocking inter-AP use
ACL or Private VLAN function
Description
Remote Site
WAN
Central Site
Application Server
New in
7.2
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Local Switching Peer-to-peer Blocking Configuration
Multiple Policy Touch Points
Both modes of operation will drop the
packet @ AP for Local Switching
enabled WLAN
* Central Switching WLAN will support “Forward - UpStream” and will send the packet to the next upstream node connected to WLC
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
FlexConnect AAA VLAN Override
AAA VLAN Override with local or
central authentication
Up to 16 VLANs per FlexConnect
AP
VLAN ID must be enabled per AP
or FlexConnect Group
If VLAN ID does not exist, default
VLAN is used
QoS and ACL Override is
not supported.
Description
Remote Site
WAN
Central Site
FlexConnect Group 1
Central RADIUS
Application Server
VLAN 504
VLAN 7
VLAN 3
VLAN 7
New in
7.2
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
FlexConnect AAA VLAN Override Configuration
WAN
ISE
Create Sub-Interface on FlexConnect AP
IETF 81 IETF 64
IETF 65
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
External WebAuth with Local Switching
Provides L3 Web Redirect from locally switched vlan
Reduces WAN traffic by locally switching guest traffic
Flexible and centralised web portal creation for multiple sites
Provides flexible use of Conditional and Splash Page Web Redirect
FlexConnect AP must be in Connected state with Centralised Controller to work
Description
Remote Site
WAN
Central Site
FlexConnect Group 1
VLAN 503
VLAN 7
Internet
WebServer
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
External WebAuth with Local Switching Configuration
Step 1: Configure Pre-Auth ACL that will be applied to FlexConnect Group, AP or WLAN
External Web-Server IP
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
External WebAuth with Local Switching Configuration
Step 2: Apply Pre-Auth ACL to WLAN
Apply Pre-Auth ACL to
WLAN
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
External WebAuth with Local Switching Configuration
Step 3: Apply Pre-Auth ACL to FlexConnect Group
Map WLAN-Id to
Pre-Auth ACL
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
External WebAuth with Local Switching Configuration
Step 4: Configure External Web Server
External Web-Server IP
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
External WebAuth with Local Switching Configuration Verification
Finally ensure ACL assignment is correct at AP
Navigate to “Wireless > All APs >
<Flex AP> > FlexConnect”
Click External WebAuth ACLs
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
CA-Server
BYOD Device On-Boarding in Local Switching Example: Apple iOS Device Provisioning
Initial Connection
Using PEAP
ISE WLC
1
Device Provisioning
Wizard
2
Future Connections
Using EAP-TLS
3 ISE WLC
Client
Reconnects
CA-Server
66
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Steps for Integrating the Controller and ISE
67
1. Configure WLAN for 802.1x Authentication
• Configure RADIUS Server on Controller
• Setup WLAN for AAA Override, Profiling and RADIUS NAC
2. Configure ISE Profiling
• Enable profiling sensors
3. Setup Access Restrictions
• Configure ACLs to filter and control network access.
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Configuring ISE as the Authentication Server and
Accounting Server
68
Enable “RFC 3576” for
Support Change of
Authorisation
Add to Accounting
Servers to Receive
Session Statistics
1
2
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Configuring the WLAN for Secure Connectivity Enabling Secure Authentication and Encryption with WPA2-Enterprise
WPA2 Security with AES
Encryption
1
69
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Configuring the WLAN for ISE Identity-based
Networking Cont’d
Enable
RADIUS NAC
to allow ISE
to use
Change of
Authorisation.
2
Allow AAA
Override to
Permit ISE
to Modify
User
Access
Permissions
1
Enable Client
Profiling to
Send DHCP
Attributes to
ISE.
3
Enable Local
Switching
4
70
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Configuring ISE Profiling Sensors Profiling relies on a multitude of “sensors” to
assess the client’s device type.
Profiling can always be achieved through a span
port, more efficient profiling is achieved through
sensors which selectively forward attributes.
For DHCP Profiling:
‒ Option A: Use v7.2 MR1 code to send DHCP attributes
in RADIUS accounting messages.
‒ Option B: Use Cisco IOS “ip helper” addressed to ISE
on switches adjacent to the WLC.
For HTTP Profiling:
‒ Use the Web-Authentication redirect to get the HTTP
user agent.
71
ISE Deployment Guide: http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Configuring the Web-Authentication Redirect ACL The ACL is used in HTTP profiling as well as posture and client provisioning.
72
Use the ISE server’s IP address to allow
only traffic to that site.
2
This ACL will be referenced by name
by the ISE to restrict the user.
1
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Create WebPolicies for FlexConnect Group The ACL is used in HTTP profiling as well as posture and client provisioning.
This will force all the APs in this
FlexConnect Group to support
Device On-Boarding
Operating Wireless Branch
Smart Upgrade over WAN
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Monitor FlexConnect Latency
RTT for FlexConnect AP :
• Is recommended to be max 300ms for data
• Must be max 100ms for voice roaming
Latency tool will help monitor WAN latency
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Upgrading a FlexConnect Deployment Concerns
Sites using FlexConnect AP are usually sites with low WAN
bandwidth
Each site may have small number of AP, but an enterprise may have
a lot of branches
Upgrading ~2000 AP through a low bandwidth WAN is a challenge :
• Time needed to download all the AP firmware
• Exhaustion of the WAN link
• Risk of failures during the download
Release 7.2 introduced “Smart AP Image Upgrade”
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
WAN
FlexConnect Smart AP Image Upgrade Description
Smart AP Image Upgrade use a
« master » AP in each FlexConnect
Group to download the code.
Other FlexConnect AP download the
code from the master locally
1.Download WLC upgraded firmware (will become
primary)
2.Force the « boot image »
to be the secondary (and not the newly upgraded
one) to avoid parallel download of all AP in case of
unexpected WLC reboot
3.WLC elect a master AP in each FlexConnect
Group (can be also set manually)
Remote Site-1 Remote Site-N
Prime Infrastructure Wireless LAN Controller
Primary Secondary
Firmware Image
New
Old New New Old
Central Site
Master AP
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
WAN
4. Master AP « Pre-download » the AP
firmware in the secondary « boot
image » (will not disrupt the actual
service)—Can be started group per
group to limit WAN exhaust
5. Slave AP « Pre-download » the AP
firmware from the Master AP
6. Change the « boot
image » of the WLC
to the new image
7. Reboot the controller
Old New New Old
New Old
Central Site
Remote Site-1 Remote Site-N
Prime Infrastructure Wireless LAN Controller
Primary Secondary
Firmware Image
Primary Secondary
AP Firmware Image
FlexConnect Smart AP Image Upgrade Description (Cont…)
New Old
Primary Secondary
AP Firmware Image
Master AP
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
FlexConnect Smart AP Image Upgrade Configuration
“FlexConnect AP Upgrade” checkbox has to be enabled for each FlexConnect Group.
By default, Master AP for each FlexConnect Group is selected using Lower-MAC algorithm.
One Master select per AP type.
Enable Efficient AP
Image Upgrade
Master AP Selection is
Optional
Random Backoff Interval
(100-300sec) between
each retry
Valid Range is 1-63
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Per Branch or FlexConnect Group
Upgrade
Upgrade across all Branches or
FlexConnect Groups whose
“FlexConnect AP Upgrade”
checkbox is set
FlexConnect Smart AP Image Upgrade Configuration (Cont)
Summary
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Summary
Cisco Unified Wireless Network based on Controllers deliver Wireless
Branch Solution
FlexConnect is the feature designed to solve remote connectivity and
WAN constraints
Several Failover Scenario are targeted to offer Survivability of Small
Remote Sites
FlexConnect Deployment Guide:
http://www.cisco.com/en/US/products/ps11635/products_tech_note09186
a0080b7f141.shtml
Q & A
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-2016 Cisco Public
Complete Your Online Session
Evaluation Give us your feedback and
receive a Cisco Live 2013 Polo
Shirt!
Complete your Overall Event Survey and 5
Session Evaluations.
Directly from your mobile device on the
Cisco Live Mobile App
By visiting the Cisco Live Mobile Site
www.ciscoliveaustralia.com/mobile
Visit any Cisco Live Internet Station located
throughout the venue
Polo Shirts can be collected in the World of
Solutions on Friday 8 March 12:00pm-2:00pm
84
Don’t forget to activate your
Cisco Live 365 account for
access to all session material,
communities, and on-demand and live activities throughout
the year. Log into your Cisco Live portal and click the
"Enter Cisco Live 365" button.
www.ciscoliveaustralia.com/portal/login.ww
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKEWN-2016